Mercurial > p > roundup > code

diff roundup/backends/sessions_rdbms.py @ 4585:033a550812fc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix another XSS with the "otk" parameter. Thanks to Jesse Ruderman for reporting.
author Ralf Schlatterbeck <rsc@runtux.com>
date Tue, 07 Feb 2012 14:39:02 +0100
parents 6e3e4f24c753
children bf13b28156f3
line wrap: on
line diff
--- a/roundup/backends/sessions_rdbms.py	Mon Jan 30 14:52:14 2012 +0100
+++ b/roundup/backends/sessions_rdbms.py	Tue Feb 07 14:39:02 2012 +0100
@@ -7,6 +7,7 @@
 __docformat__ = 'restructuredtext'
 
 import os, time
+from cgi import escape
 
 class BasicDatabase:
     ''' Provide a nice encapsulation of an RDBMS table.
@@ -35,7 +36,7 @@
         if not res:
             if default != self._marker:
                 return default
-            raise KeyError('No such %s "%s"'%(self.name, infoid))
+            raise KeyError('No such %s "%s"'%(self.name, escape(infoid)))
         values = eval(res[0])
         return values.get(value, None)
 
@@ -45,7 +46,7 @@
             n, n, self.db.arg), (infoid,))
         res = self.cursor.fetchone()
         if not res:
-            raise KeyError('No such %s "%s"'%(self.name, infoid))
+            raise KeyError('No such %s "%s"'%(self.name, escape (infoid)))
         return eval(res[0])
 
     def set(self, infoid, **newvalues):
Roundup Issue Tracker: http://roundup-tracker.org/